Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #45

June 08, 2010

Interesting question we got last night from the CIO of one of the largest financial institutions. He wrote: "Alan, do you know anyone who has deployed a lot of iPhones to their executives and technical people with access back into corporate systems, and have a technical security blanket that lets them sleep well at night?" If any NewsBites reader has an answer, please share (apaller@sans.org) and tell us whether you want credit or anonymity.

-- SANS Network Security 2010, Las Vegas, September 19-27, 2010 40 courses. Bonus evening presentations include The Return of Command Line Kung Fu and Cyberwar or Business as Usual? The State of US Federal CyberSecurity Initiativeshttp://www.sans.org/network-security-2010/

Plus Amsterdam, Kuala Lumpur, Canberra and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php *************************************************************************

TOP OF THE NEWS

Cyber Security Code for Australian ISPs (June 7, 2010)

The Australian government and the country's Internet Industry Association have drafted voluntary code of practice for Internet service providers and customers. Among other suggestions, the code recommends throttling of Internet connections of users whose computers are infected. The document includes recommendations for educating customers, detecting malicious activity, taking action against infected machines, and reporting to the Australian Federal Police and CERT Australia. Australian communications minister Stephen Conroy suggested that if ISPs did not voluntarily comply with the code, it might become mandatory. -http://www.computerworld.com.au/article/349071/zombie_pcs_quarantined_under_new_isp_code/-http://www.securecomputing.net.au/News/214257,zombie-pcs-to-be-throttled-isolated-under-new-isp-code.aspx Text of code: -http://iia.net.au/images/resources/pdf/icode-v1.pdf[Editor's Note (Pescatore): There is a lot of goodness here and IIA (Internet Industry Association) has already put out similar anti-spam practices that Australian ISPs have to follow. However, a major weak spot is that it says ISPs have to do only one of 4 actions, and one of the four is simply more education of the end user. If they do that, they don't have to do any of the other three (detection, blocking, reporting.) I'd much rather see education be mandatory and at least one of the other three done in addition. US ISPs should take that approach and get out ahead of the Internet neutrality issue. ]

A group of NATO experts said that cyber attacks against member nations could justify retaliation. "A large-scale attack on NATO's command and control systems or energy grids could possibly lead to collective defence measures under article 5," which asserts that an armed attack against one NATO country "shall be considered an attack against them all." NATO's next step is to determine the severity of an attack that would justify retaliation, how military force would be used in that retaliation, and what the targets would be. NATO lawyers do not believe existing treaties need to be rewritten because a cyber attack could conceivably have an effect much like a physical assault. The next step echoes US Cyber Command head General Keith Alexander's statement last week that there need to be "clear rules of engagement that say what we can stop." -http://www.timesonline.co.uk/tol/news/world/article7144856.ece

The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his Social Security number (SSN), was exposed by a third party has no legal standing to seek damages because he did not suffer materially as a result of the breach. Joel Ruiz had submitted the data as part of a job application. Vangent, the company that processed that application, was holding the data on a laptop that was stolen. The appeals court upheld a lower court ruling that "Ruiz had failed to establish sufficient appreciable, nonspeculative, present harm to sustain a negligence cause of action under California law." -http://www.theregister.co.uk/2010/06/04/privacy_suit_absolution/-http://www.leagle.com/unsecure/page.htm?shortname=infco20100528188

The UK Information Commissioner's Office (ICO) has found a Welsh medical practice to be in violation of the Data Protection Act. A staff member at Lampeter Medical Practice downloaded unencrypted patient data to a USB drive; the device was then sent to the Health Boards Business Service Centre by post in March 2010, but the package never arrived. Downloading unencrypted data onto a removable storage device violates the practice's data security policy. The head of the practice has agreed to implement safeguards to ensure that a similar incident will not happen again. All mobile devices, including laptops, will be encrypted and staff members will be re-educated about the data security policy. The breach affected 8,000 patients. -http://www.scmagazineuk.com/welsh-medical-practice-hit-by-ico-after-losing-unencrypted-memory-stick/article/171692/**************************** Sponsored Links: ************************** 1) Coffee Coaching: Start your day with a sip of coffee and a byte of technology - http://www.sans.org/info/60283

Australian Federal Police are investigating Google's inadvertent Wi-Fi data collection. At the request of the Federal Attorney-General, the police are attempting to determine if Google breached the Telecommunications Interception Act when it collected payload data from wireless networks while gathering images for its Street View feature. In a separate, related story, Google said late last week that it will start providing the data it collected to regulators in Germany, Spain and France. Until the announcement, Google had been reluctant to share the information, citing legal concerns. Google chairman and CEO Eric Schmidt said that the company would release the results of both internal and external audits of its data collection practices. -http://www.securecomputing.net.au/News/214259,federal-police-investigate-google-wifi-privacy-breach.aspx-http://www.nytimes.com/2010/06/04/business/global/04google.html?partner=rss&emc=rss

Malware Found in Some Windows Phone Apps (June 4 & 7, 2010)

Certain Windows-based mobile phone applications distributed on up to nine download sites contain malware. The scammers appear to have copied and repackaged familiar applications with malware code embedded. The malware causes the infected phones to make calls to premium rate numbers around the world, so users are hit with surprise charges on their bills. Microsoft is investigating. The malware does not exploit flaws in Windows however; users are urged to be vigilant about the reliability of the sources from which they download applications. -http://www.itpro.co.uk/624025/hackers-target-windows-based-phones-http://news.cnet.com/8301-27080_3-20006882-245.html?part=rss&subj=news&tag=2547-1_3-0-20[Editor's Note (Schultz): The problem here is by no means exclusive to the Microsoft mobile phone environment. Smartphone applications have for years been available to the user community, although little attention paid to security in them. ]

Minnesota e-commerce company Digital River is suing a New York man after a database of nearly 200,000 of its customers' sensitive information made its way into his hands. Eric Porat allegedly tried to sell the information to a Colorado direct marketing company for US $500,000. The company refused the offer, and when he persisted, the company contacted authorities. Porat claims to have obtained the information from India, but declined to provide details. Digital Rover's legal team believes that Porat "hacked the hacker." -http://www.startribune.com/local/95584209.html

Insurance Company Denies Data Breach Claim (June 4 & 7, 2010)

A Colorado insurance company says it is not liable for a US $3.3 million claim made by Perpetual Storage regarding a data security breach. In June 2008, backup tapes containing information about 1.7 million patients from University of Utah hospitals were on their way to a Perpetual Storage facility when they were stolen from the car of one of Perpetual's employees. The university sought compensation from Perpetual Storage for costs it incurred as a result of the breach. At the time of the theft, Perpetual had a security breach insurance policy with Colorado Casualty Insurance Co. The insurance company's suit seeks a declaratory judgment that it is not liable for the costs. The missing tapes were recovered and appeared to be untouched; however, the university incurred costs associated with breach notification, credit monitoring and other issues. Perpetual has since changed its breach insurance provider. -http://www.networkworld.com/news/2010/060510-insurer-says-its-not-liable.html?source=nww_rss-http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=225402140&cid=RSSfeed_DR_News[Editor's Note (Schultz): Information security professionals are taught that insuring against information security risk is one of the security risk management options available to organizations today. However, in more cases than not, insurers underpay or refuse altogether to pay when a incident such as the one in this news item occurs. In my mind, information security insurance is thus not a viable risk management option. ]********************************************************************** The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rob Lee is the curriculum lead instructor for the SANS Institute's computer forensic courses (computer-forensics.sans.org) and a Director at the incident response company Mandiant.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/